July 13th, 2006, 02:53 AM
Just quickly, is there a firefox extension or some tool for quickly scanning something with all those different AVs?
Cereal: Eaten at all times of the day.
July 13th, 2006, 03:32 AM
Simply go to www.virustotal.com and upload a sample. They run it against a handfull of vender signatures and the output is what Nihil has posted.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
July 13th, 2006, 09:43 AM
Hi there wheaty_bytes
TH13 is quite right. I use virus total (he has given you the link) and Jotti, which is here:
The both do as he says but use slightly different mixtures of AVs, so you get a broader cover if you use both. I tend to use them as a "first pass" just to see if something has already been discovered or if it looks like a generic malware
July 13th, 2006, 01:31 PM
As this has been resolved, I won't add that much other than ntscan, ipcscan, and sqlscan have been the most popular tools I have seen in windows honeynet research. They all function as TH13 has noted; by grinding against a box with a list of passwords. Typically the password that got them in to your box will be at the top of the list if you find it on your box. An attacker typically will break in to a box and start trying to spread their sphere of influence in a matter of moments.
These are pretty much a part of the standard l337 h4x0r toolkit containing things like fport, psinfo and the like(usually a kit of 8 executables).
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
March 9th, 2008, 10:22 PM
where can I downlod this FTP & Nt Scanner by lomax
March 9th, 2008, 10:39 PM
Your probably lucky that it was only some "young'en" that rooted you, who by the sounds of it didn't really know what he was doing - password grinding remote domain machines is the action of someone who has either tried everything else and has run out of options, or someone who doesn't really understand what they are doing. Although personally I would still change any cached domain credentials and all local credentials if I was you.
If you had been rooted by someone who had half a clue, they would have left something a tad more advanced running, such as whosthere from the Pass the Hash toolkit - as this is not a virus it won't show up as such - and if they exploited you by a method that left them with a bind shell or similar, then it is possible some actions they performed would not show up in your eventvwr.
Personally I would perform a close inspection of everything on the server/work station. Don't presume that because you have plugged the original fault that allowed you to be rooted in the first place, that you are secure...if it was me I would take for granted that you would find the original attack vector that may even result in the server beeing removed/reformatted and would have provided myself with some other method to retain the access I have to your server and/or network...chances are they did not confine themselves to one server; unless you have good security practices/policies in place..which folks rarely do.
Last edited by Nokia; March 9th, 2008 at 10:47 PM.
March 10th, 2008, 12:22 PM
Thread closed............... it cannot be relevant today.